as a follow-up @james_inthe_box on twitter helped … he told me to run it on Windows XP …
tagged as Win32.taterf.e
any chance anybody knows what this is or how to analyze it?
it is old (1st submission '09) , just crashes when i run & in IDA it says import table is destroyed
i found it on a thumb drive likely plugged into some older windows os
any help or direction would be sweet, thanks!
Thanks in advance for any help.
It’s an RTF document that per HA is using Equation Editor possibly.
I run rtfdump.py and find some interesting larger in size sections such as
1 Level 1 c= 3 p=00000000 l= 10610 h= 7574 b= 0 u= 173 \rtf1 2 Level 2 c= 1 p=00000034 l= 38 h= 3 b= 0 u= 5 \fonttbl 3 Level 3 c= 0 p=0000003d l= 28 h= 3 b= 0 u= 5 \f0 4 Level 2 c= 0 p=000001f6 l= 31 h= 11 b= 0 u= 5 \*\generator 5 Level 2 c= 3 p=00000316 l= 9815 h= 7560 b= 0 u= 163 \object 6 Level 3 c= 0 p=0000032f l= 23 h= 3 b= 0 u= 7 \*\objclass Equation.3 7 Level 3 c= 0 p=00000357 l= 7510 h= 7092 b= 0 O u= 0 \*\objdata 8 Level 3 c= 1 p=000020ae l= 2238 h= 465 b= 0 u= 156 \result 9 Level 4 c= 1 p=000020b7 l= 2228 h= 465 b= 0 u= 156 \rtlch
10 Level 5 c= 2 p=000020f5 l= 2165 h= 465 b= 0 u= 156 \pict
11 Level 6 c= 20 p=000020fb l= 1236 h= 109 b= 0 u= 156 *\picprop
12 Level 7 c= 2 p=00002111 l= 27 h= 5 b= 0 u= 6 \sp
But then I try to run it against a specific section
rtfdump.py -s 7 -H
And rtfdump.py seems to be processing, but never finishes. I let is sit for 30 minutes, it never returned anything. I tried different sections, small ones, big ones, but same result. I’ve used rtfdump.py in this same fashion successfully before, but this one just seems to be taking forever.
Am I going about it the right way? Is there another alternative tool I could use to get the ASCII contents of a RTF section?
Maybe not the answer you were looking for but the malware I fear the most is the malware I can’t find, e.g. the stuff that is “living off the land” and using only legitimate OS tools , the stuff you can’t decipher from legit sysadmin activity. That’s what keeps me up at night !
Hi all, I was a web developer for 10 years, ecommerce, PCI compliance, etc and am relatively new to security in the last few years. I love Assembly and programming and have taught it at a college level and now am very excited to move my career forward and dig as far as I can into malware reverse engineering.
I’d suggest following researchers like @james_inthe_box on twitter to get your daily dose new runs of ursnif and other malware
In particular @james_inthe_box is really good at sharing generic IOCs on pastebin for various malware types
His Ursnif pastebin post is here and might be a good start
Looks like your connection to Malware Analysis Forums was lost, please wait while we try to reconnect.